COMMAND

    HP OpenView OmniBack II

SYSTEMS AFFECTED

    Platforms running OB 2.10 / OB 2.30 / OB 2.55

PROBLEM

    Hewlett-Packard  has  learned  that  the  HP  OpenView OmniBack II
    product  (OB)  has  defects  that  allow  users to gain additional
    privileges.  The OB program runs native on HP-UX yet also executes
    on  other  platforms  as  noted  below.     Updated  binaries have
    been  produced  for  those  products  and  should be retrieved and
    installed.  OB  provides Server support  of HP9000 Series  700/800
    with HP-UX and PC with Windows NT.

    OB provides client support of HP9000 Series 700/800 running HP-UX,
    SunSparc running Solaris, SunSparc running SunOS, RS/6000  running
    AIX, Novell, PCs running Windows  95, PCs running NT, SNI  running
    Sinix, SGI IRIX (only EFS  and XFS filesystems) and Digital  Unix.
    The  following  versions  of  OB  are  affected  on  all supported
    platforms: OB  2.10 /  OB 2.30  / OB  2.55.   (NOTE: OB 2.50 is no
    longer supported.)

    Following is based on RSI alert advisory.  Credit goes to 'Bermuda
    Brian'.   Although Omniback  is not  known to  be shipped with any
    operating system,  many platforms  are supported  by the  Omniback
    software package  according to  Hewlett-Packard.   Installation of
    Omniback on any system could potentially leave you vulnerable.

    Three problems  are covered  in RSI's  advisory.   The first issue
    allows an attacker to remotely  execute commands on the server  by
    sending arbitrary data  with a ";"  after commands such  as "CELL"
    or  "INFO".   The  second  issue  also  allows remote execution of
    commands by impersonating a valid  user and Omniback server.   The
    third issue allows  for any file  on the system  to be overwritten
    locally via a  /tmp symlink problem.   These problems are  present
    in the 2.1, and 2.5 Omniback Cell servers, disk agents, and  media
    agents.

    The  Omniback  protocol  is  vulnerable  to spoofing attacks which
    introduces following vulnerabilities.

    Vulnerability #1:
    =================
    Omniback allows commands to be executed with root access since  it
    requires  full  access  to  the  local  filesystem.   By   sending
    arbitrary data to the Omniback server containing commands such  as
    "CELL;command" or "INFO;command", an attacker can execute commands
    as root.

    Vulnerability #2:
    =================
    Omniback  also  allows  remote  commands  to be executed through a
    second process.  Any user  that can impersonate the Omniback  Cell
    server  can  start  a  job  on  the  remote system and potentially
    execute commands as root.

    Vulnerability #3:
    =================
    Omniback allows an arbitrary local user overwrite any file on  the
    filesystem.  By symlinking /tmp/util.tmp  to the file you want  to
    create/overwrite  and  sending  the  Omniback  server  an UNSECURE
    command, you can potentially create/overwrite that file.

    This software has also been ported to a number of other  platforms
    which  are  currently  untested,  but  may  be subject to the same
    vulnerabilities:

        SGI IRIX 5.3
        SNI Sinix 5.4.2
        IBM AIX 3.2.5, 4.1
        Hewlett Packard HP-UX 9.0, 10.0, 10.20, 11.0
        Sun Microsystems SunOS 4.1.3, 4.1.4, 5.3, 5.4, 5.5, 5.6
        Novell Netware 3.11, 3.12, 4.01, 4.1
        Microsoft Windows NT Server & Workstation 3.51, 4.0
        Further platforms can be included via NFS and shared disks

SOLUTION

    Patches are in process to address issues #1 and #3.  The following
    temporary  solutions  exist  to  help  deal with the above issues,
    however each solution may not  be best suited for your  network or
    adequately  deal  with  the  problems.   Adding access controls to
    'inetd.sec'  could  potentially  limit  the  scope  of  a  network
    attack,  but  would  not  be  considered  a  complete  or failsafe
    solution.   Blocking  port  5555  at  the  external router of your
    network  will  defend  against  most  Internet  based attacks, but
    could potentially interfere with  other applications that may  use
    port 5555 such as 'personal-agent'. Current IANA port  assignments
    include  a  note  (in  comments)  that  HP Omniback also uses this
    port, but does not specifically assign it to the Omniback service.
    This solution will not protect you from internal/Intranet attacks.

    Hewlett-Packard Co.  recommends obtaining  the patches  referenced
    below  for  the  Cell  Managers  (aka  Cell  Servers) to fix these
    vulnerabilities.  If you are running:

        OBII 2.55 on HP-UX release 10.X with UNIX clients:    PHSS_16473
        OBII 2.55 on HP-UX release 11.X with UNIX clients:    PHSS_16474
        OBII 2.55 on HP-UX release 10.X with Windows clients: PHSS_16533
        OBII 2.55 on HP-UX release 11.X with Windows clients: PHSS_16534
        OBII 2.10 on HP-UX release 9.X:                      *PHSS_16477
        OBII 2.10 on HP-UX release 10.X:                     *PHSS_16478
        OBII 2.30 on Windows NT:                          OMNIBACK_00004

    * Note  patch dependencies  PHSS_12864 and  PSS_12865 for releases
      HP-UX  9.X  and  10.X,  respectively.   The  patches contain all
      binaries for all client platforms.  (NOTE: OmniBack II 2.50  has
      been replaced by  2.55.  Support  for OmniBack II  2.50 has been
      discontinued.)  This solution is also a part of OmniBack II 3.0.

    With all of the new patches two of the three vulnerabilities  have
    been  fixed.   Solving  or  minimizing  the  third  one   requires
    additional administrative effort as described in:

        Document ID:  RAF36213ECA
        Date Loaded:  19981011
        Title:  Security Vulnerability with HP OpenView Omniback II

    that can be found on HP site.